Hi list,
I received the following (see below) in an email from logcheck on my
home desktop running Sarge. Looks like an attempt to cause a buffer
overflow in rpc.statd. System logs don't include anything else that
looks suspicious.
This system was up-to-date with security updates
On Wed, Nov 09, 2005 at 10:28:53AM -0500, Kevin B. McCarty wrote:
I received the following (see below) in an email from logcheck on my
home desktop running Sarge. Looks like an attempt to cause a buffer
overflow in rpc.statd. System logs don't include anything else that
looks suspicious
Quoting Kevin B. McCarty ([EMAIL PROTECTED]):
I received the following (see below) in an email from logcheck on my
home desktop running Sarge. Looks like an attempt to cause a buffer
overflow in rpc.statd. System logs don't include anything else that
looks suspicious.
That would probably
On Sun, Sep 29, 2002 at 12:08:01AM +0200, Lupe Christoph wrote:
On Saturday, 2002-09-28 at 18:33:43 +0200, Wichert Akkerman wrote:
Previously Lupe Christoph wrote:
Opinions? Comments?
Does it really matter?
Well it may collide with a service started after it that wants this
On Sun, Sep 29, 2002 at 12:08:01AM +0200, Lupe Christoph wrote:
On Saturday, 2002-09-28 at 18:33:43 +0200, Wichert Akkerman wrote:
Previously Lupe Christoph wrote:
Opinions? Comments?
Does it really matter?
Well it may collide with a service started after it that wants this
Hi!
I'm running chkrootkit on my workstation, just for testing. After the
last reboot it found:
Checking `bindshell'... INFECTED (PORTS: 600)
Slightly shocking on a workstation without direct Internet connectivity.
Doing an lsof -i :600 showed rpc.statd using this port. Huh? Why a low
port
Previously Lupe Christoph wrote:
Opinions? Comments?
Does it really matter?
Wichert.
--
_
[EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]http://www.wiggy.net/ |
|
On Saturday, 2002-09-28 at 18:33:43 +0200, Wichert Akkerman wrote:
Previously Lupe Christoph wrote:
Opinions? Comments?
Does it really matter?
Well it may collide with a service started after it that wants this
particular privileged port. I also believe that services that do not
require a
Hi!
I'm running chkrootkit on my workstation, just for testing. After the
last reboot it found:
Checking `bindshell'... INFECTED (PORTS: 600)
Slightly shocking on a workstation without direct Internet connectivity.
Doing an lsof -i :600 showed rpc.statd using this port. Huh? Why a low
port
Previously Lupe Christoph wrote:
Opinions? Comments?
Does it really matter?
Wichert.
--
_
/[EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]http://www.wiggy.net/ |
|
On Saturday, 2002-09-28 at 18:33:43 +0200, Wichert Akkerman wrote:
Previously Lupe Christoph wrote:
Opinions? Comments?
Does it really matter?
Well it may collide with a service started after it that wants this
particular privileged port. I also believe that services that do not
require a
What is this? I
don't think anyone got in though, everything seems to befine.I'm running
woody and rpc.statd version 0.3.3Dec 29 14:10:58 name rpc.statd[3364]:
gethostbyname error
for^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\220\220\220
On Mon, Dec 31, 2001 at 09:11:41PM +0100, David Gestel wrote:
What is this? I don't think anyone got in though, everything seems to be
fine.
I'm running woody and rpc.statd version 0.3.3
Yep. The fact that it was logged in this particular case means you're
fine.
--
Daniel Jacobowitz
your libs and stuff to make sure your
versions are up to snuff. apt-get dist-upgrade is always a
good
thing,
right?
-Original Message-From: David Gestel
[mailto:[EMAIL PROTECTED]]Sent: Monday, December 31, 2001 3:12
PMTo: [EMAIL PROTECTED]Subject: faq?
rpc.statd: gethostby
David == David Gestel [EMAIL PROTECTED] writes:
David What is this? I don't think anyone got in though, everything seems to be
David fine.
David I'm running woody and rpc.statd version 0.3.3
David Dec 29 14:10:58 name rpc.statd[3364]: gethostbyname error for
David ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x
On Mon, Dec 31, 2001 at 03:18:46PM -0500, Daniel Jacobowitz wrote:
Yep. The fact that it was logged in this particular case means you're
fine.
A long time ago a RedHat 6.2 box i had account on was exploited using the same
exploit, and it did log that. I'd recommend running chkrootkit or
What is this? I
don't think anyone got in though, everything seems to befine.I'm running
woody and rpc.statd version 0.3.3Dec 29 14:10:58 name rpc.statd[3364]:
gethostbyname error
for^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\220\220\220
On Mon, Dec 31, 2001 at 09:11:41PM +0100, David Gestel wrote:
What is this? I don't think anyone got in though, everything seems to be
fine.
I'm running woody and rpc.statd version 0.3.3
Yep. The fact that it was logged in this particular case means you're
fine.
--
Daniel Jacobowitz
your libs and stuff to make sure your
versions are up to snuff. apt-get dist-upgrade is always a
good
thing,
right?
-Original Message-From: David Gestel
[mailto:[EMAIL PROTECTED]Sent: Monday, December 31, 2001 3:12
PMTo: debian-security@lists.debian.orgSubject: faq?
rpc.statd: get
On Mon, Dec 31, 2001 at 09:11:41PM +0100, David Gestel wrote:
Dec 29 14:10:58 name rpc.statd[3364]: gethostbyname error for
^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\
Do you use NFS, NIS or anything that needs portmap? If not, then you might want
to uninstall
On Mon, Dec 31, 2001 at 03:18:46PM -0500, Daniel Jacobowitz wrote:
Yep. The fact that it was logged in this particular case means you're
fine.
A long time ago a RedHat 6.2 box i had account on was exploited using the same
exploit, and it did log that. I'd recommend running chkrootkit or
Russell == Russell Speed [EMAIL PROTECTED] writes:
Russell I am curious if the following is an example of a buffer overflow. I
Russell noticed this in my syslog - and the following day had someone logged in
Russell from an IP I'm not aware of.
Btw, I noticed the attack because syslogd did a
: rpc.statd being attacked?
I've gotten logs several times that read something like
Aug 20 19:20:24 adsl-63-193-247-253 rpc.statd[330]: gethostbyname error
for ^X
F7FFBF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7F
F
BF^[F7FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10
x%n%
192x%n\220\220\220\220
On Tue, Aug 21, 2001 at 01:28:24PM -0700, Daniel Schepler wrote:
I've gotten logs several times that read something like
Aug 20 19:20:24 adsl-63-193-247-253 rpc.statd[330]: gethostbyname error for ^X
F7FFBF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FF
BF^[F7FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x
I've gotten logs several times that read something like
Aug 20 19:20:24 adsl-63-193-247-253 rpc.statd[330]: gethostbyname error for ^X
F7FFBF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FF
BF^[F7FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%
192x%n\220\220\220\220\220\220\220\220\220\220\220
Subject: rpc.statd being attacked?
I've gotten logs several times that read something like
Aug 20 19:20:24 adsl-63-193-247-253 rpc.statd[330]: gethostbyname error
for ^X
F7FFBF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7F
F
BF^[F7FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10
x%n%
192x%n
On Tue, Aug 21, 2001 at 01:28:24PM -0700, Daniel Schepler wrote:
I've gotten logs several times that read something like
Aug 20 19:20:24 adsl-63-193-247-253 rpc.statd[330]: gethostbyname error for ^X
F7FFBF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FF
BF^[F7FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x
test command (touch /blah) was not executed. This seems evidence to me that
it was actually the old rpc.statd hole he/she tried to crack, and I know my
version is safe (not because my own attack failed, but because debian says
so).
I will
- install tripwire to observe more
- remove nfs-common
this possible or is it planned?
Oliver
-Original Message-
From: Lukas Eppler [mailto:[EMAIL PROTECTED]]
Sent: Donnerstag, 12. Juli 2001 10:36
To: Alvin Oga; kath
Cc: [EMAIL PROTECTED]
Subject: Re: was I cracked? (rpc.statd, new version)
Thank you all for the hints.
I think I
On Thu, Jul 12, 2001 at 05:33:29AM -0700, Krause, Oliver wrote:
Can dpkg check the files in my filesystem against the version which is
in the packages database? So i can verify if the binary was modified.
Then the only thing i need is a signing of the dep-packages and the
database itself
it properly.
thanks,
jc
Thusly Thwacked By Jeremy Gaddis:
Someone attempted to run the rpc.statd buffer overflow on
you, but it appears to have failed. The reason you see
/bin/sh in the log entry is because that's part of the
shellcode of the exploit. The exploit, when successful
test command (touch /blah) was not executed. This seems evidence to me that
it was actually the old rpc.statd hole he/she tried to crack, and I know my
version is safe (not because my own attack failed, but because debian says
so).
I will
- install tripwire to observe more
- remove nfs-common
this possible or is it planned?
Oliver
-Original Message-
From: Lukas Eppler [mailto:[EMAIL PROTECTED]
Sent: Donnerstag, 12. Juli 2001 10:36
To: Alvin Oga; kath
Cc: debian-security@lists.debian.org
Subject: Re: was I cracked? (rpc.statd, new version)
Thank you all for the hints.
I
On Thu, Jul 12, 2001 at 05:33:29AM -0700, Krause, Oliver wrote:
Can dpkg check the files in my filesystem against the version which is
in the packages database? So i can verify if the binary was modified.
Then the only thing i need is a signing of the dep-packages and the
database itself
On Wed, Jul 11, 2001 at 11:42:03AM +0100, Lukas Eppler wrote:
I have the following entries in /var/log/messages:
Jul 9 01:21:03 blue -- MARK --
Jul 9 01:21:11 blue
Jul 9 01:21:11 blue /sbin/rpc.statd[166]: gethostbyname error for
^XF7FFBF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF
/rpc.statd[166]: gethostbyname error for
^XF7FFBF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
Alvin Oga [EMAIL PROTECTED] writes:
hi ya lukas
how did you check for modified binaries ???
if its an upto date deb box... its a failed attempt...
if its a redhat box...time to go digging...
you have to check the filesize of the binaries... not just the date...
compared to one that
[EMAIL PROTECTED]
To: Lukas Eppler [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Wednesday, July 11, 2001 5:45 PM
Subject: Re: was I cracked? (rpc.statd, new version)
hi ya lukas
how did you check for modified binaries ???
if its an upto date deb box... its a failed attempt...
if its a redhat box
it properly.
thanks,
jc
Thusly Thwacked By Jeremy Gaddis:
Someone attempted to run the rpc.statd buffer overflow on
you, but it appears to have failed. The reason you see
/bin/sh in the log entry is because that's part of the
shellcode of the exploit. The exploit, when successful
I have the following entries in /var/log/messages:
Jul 9 01:21:03 blue -- MARK --
Jul 9 01:21:11 blue
Jul 9 01:21:11 blue /sbin/rpc.statd[166]: gethostbyname error for
^XF7FFBF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220
On Wed, Jul 11, 2001 at 11:42:03AM +0100, Lukas Eppler wrote:
I have the following entries in /var/log/messages:
Jul 9 01:21:03 blue -- MARK --
Jul 9 01:21:11 blue
Jul 9 01:21:11 blue /sbin/rpc.statd[166]: gethostbyname error for
^XF7FFBF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7FFBF
Someone attempted to run the rpc.statd buffer overflow on
you, but it appears to have failed. The reason you see
/bin/sh in the log entry is because that's part of the
shellcode of the exploit. The exploit, when successful,
executes /bin/sh on your machine and leaves the attacker
sitting
...
and if you really paranoid...run some tests on it..
have fun
alvin
http://www.Linux-Sec.net -- turn if off stuff ..
On Wed, 11 Jul 2001, Lukas Eppler wrote:
I have the following entries in /var/log/messages:
Jul 9 01:21:03 blue -- MARK --
Jul 9 01:21:11 blue
Jul 9 01:21:11 blue /sbin/rpc.statd
Alvin Oga [EMAIL PROTECTED] writes:
hi ya lukas
how did you check for modified binaries ???
if its an upto date deb box... its a failed attempt...
if its a redhat box...time to go digging...
you have to check the filesize of the binaries... not just the date...
compared to one that
[EMAIL PROTECTED]
To: Lukas Eppler [EMAIL PROTECTED]
Cc: debian-security@lists.debian.org
Sent: Wednesday, July 11, 2001 5:45 PM
Subject: Re: was I cracked? (rpc.statd, new version)
hi ya lukas
how did you check for modified binaries ???
if its an upto date deb box... its a failed attempt
Jul 9 01:21:11 blue /sbin/rpc.statd[166]: gethostbyname error for
^XF7FFBF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7
FFBF^[F7FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%
n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220
hi ya stig...
yes... that too...
but i think that one should do some checking/digging
BEFORE reinstalling ...
- one should know how they got in...
- one should know why they got in..
- one should know what time they got in...
- one should know what files they added and which was modified
- one
hi ya kath
naw... they lways leave some traces of what they did
to your PC...
i think tripwire is an overkill for what you need to know
in 2 minutes... did they replace my binaries...
if you think someone came into your box...
i like a simple/stupid solution
tar zcvf
I saw messages on this list from early in the year about an rpc.statd
exploit, and I believe it just happened to me. I'd appreciate any help
from you all. I'm on a new 2.2 install from CD-ROM; both nfs-common
and nfs-kernel-server are version 0.1.9.1-1. Someone on this list said
if it
succeeded then rpc.statd would have crashed before writing the log to
syslog.
The best way to try and find out whether you've been cracked or not (in
future cases) is to install something like tripwire, which walks all
over your filesystems generating a database of attributes of all the
files
I saw messages on this list from early in the year about an rpc.statd
exploit, and I believe it just happened to me. I'd appreciate any help
from you all. I'm on a new 2.2 install from CD-ROM; both nfs-common
and nfs-kernel-server are version 0.1.9.1-1. Someone on this list said
that this problem
if it
succeeded then rpc.statd would have crashed before writing the log to
syslog.
The best way to try and find out whether you've been cracked or not (in
future cases) is to install something like tripwire, which walks all
over your filesystems generating a database of attributes of all the
files
On Sun, 8 Apr 2001 18:04:54 -0400
"Robert Bartels" [EMAIL PROTECTED] wrote:
I saw this in my logs today.
Apr 8 15:08:43 mikado rpc.statd[179]: gethostbyname error for
^X^X^Y^Y^Z^Z^[^[%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%1
37x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\2
On Sun, Apr 08, 2001 at 06:04:54PM -0400, Robert Bartels wrote:
I saw this in my logs today.
Apr 8 15:08:43 mikado rpc.statd[179]: gethostbyname error for
^X^X^Y^Y^Z^Z^[^[%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%1
37x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20
On Mon, Apr 09, 2001 at 12:18:50AM +0200, Sander Smeenk (CistroN Medewerker) wrote:
I saw this in my logs today.
Apr 8 15:08:43 mikado rpc.statd[179]: gethostbyname error for
It looks like statd is still running. Is rpc still vulnerable?
Is there a way to track down who
On Mon, Apr 09, 2001 at 12:23:06AM +0200, [EMAIL PROTECTED] wrote:
On Mon, Apr 09, 2001 at 12:18:50AM +0200, Sander Smeenk (CistroN Medewerker) wrote:
I saw this in my logs today.
Apr 8 15:08:43 mikado rpc.statd[179]: gethostbyname error for
It looks like statd is still
Quoting Daniel Jacobowitz [EMAIL PROTECTED]:
way to track down who
connected to rpc.statd?
Run a tcp logger, like ippl.
Even better and more efficient would be to create an ipchains rule that accepts
this data and logs it. That way you are focusing on logging just the data you
I saw this in my logs today.
Apr 8 15:08:43 mikado rpc.statd[179]: gethostbyname error for
^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%1
37x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220
On Sun, 8 Apr 2001 18:04:54 -0400
Robert Bartels [EMAIL PROTECTED] wrote:
I saw this in my logs today.
Apr 8 15:08:43 mikado rpc.statd[179]: gethostbyname error for
^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%1
37x%n%10x%n%192x%n\220\220\220\220\220\220\220
On Sun, Apr 08, 2001 at 06:04:54PM -0400, Robert Bartels wrote:
I saw this in my logs today.
Apr 8 15:08:43 mikado rpc.statd[179]: gethostbyname error for
^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%1
37x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220
Quoting Alexander Hvostov ([EMAIL PROTECTED]):
On Sun, 8 Apr 2001 18:04:54 -0400
Robert Bartels [EMAIL PROTECTED] wrote:
I saw this in my logs today.
Apr 8 15:08:43 mikado rpc.statd[179]: gethostbyname error for
It looks like statd is still running. Is rpc still vulnerable
On Mon, Apr 09, 2001 at 12:18:50AM +0200, Sander Smeenk (CistroN Medewerker)
wrote:
I saw this in my logs today.
Apr 8 15:08:43 mikado rpc.statd[179]: gethostbyname error for
It looks like statd is still running. Is rpc still vulnerable?
Is there a way to track down who
On Mon, Apr 09, 2001 at 12:23:06AM +0200, [EMAIL PROTECTED] wrote:
On Mon, Apr 09, 2001 at 12:18:50AM +0200, Sander Smeenk (CistroN Medewerker)
wrote:
I saw this in my logs today.
Apr 8 15:08:43 mikado rpc.statd[179]: gethostbyname error for
It looks like statd is still
Quoting Daniel Jacobowitz [EMAIL PROTECTED]:
way to track down who
connected to rpc.statd?
Run a tcp logger, like ippl.
Even better and more efficient would be to create an ipchains rule that accepts
this data and logs it. That way you are focusing on logging just the data you
On Mon, Apr 09, 2001 at 12:47:31PM +1200, Simon Murcott wrote:
Quoting Daniel Jacobowitz [EMAIL PROTECTED]:
way to track down who
connected to rpc.statd?
Run a tcp logger, like ippl.
Even better and more efficient would be to create an ipchains rule that
accepts
this data
I got the following (alarming) messages on syslog:
Jan 8 13:34:23 yuban syslogd: Cannot glue message parts together
Jan 8 13:34:23 yuban /sbin/rpc.statd[159]: gethostbyname error for
^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\
xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7\xff\xbf^[\xf7\xff\xbf^[\xf7\xff
[EMAIL PROTECTED] writes:
I got the following (alarming) messages on syslog:
Jan 8 13:34:23 yuban syslogd: Cannot glue message parts together
Jan 8 13:34:23 yuban /sbin/rpc.statd[159]: gethostbyname error for
^X\xf7\xff\xbf^X\xf7[snip]
Jan 8 13:34:23 yuban \xc7^F/bin\xc7F^D/shA0\xc0
Previously [EMAIL PROTECTED] wrote:
I got the following (alarming) messages on syslog:
This is becoming a FAQ.. it's a failed crack attempt.
Wichert.
--
/ Generally uninteresting signature - ignore at your convenience \
|
I got the following (alarming) messages on syslog:
This is becoming a FAQ.. it's a failed crack attempt.
I got the same attempt on Sunday. This is what I found out about it:
"The rpc.statd program passes user-supplied data to the syslog() function
as a format string. If there is no
thoughts. Comments?
--Jason
On Tue, Jan 09, 2001 at 12:31:59PM -0800, [EMAIL PROTECTED] wrote:
I got the following (alarming) messages on syslog:
Jan 8 13:34:23 yuban syslogd: Cannot glue message parts together
Jan 8 13:34:23 yuban /sbin/rpc.statd[159]: gethostbyname error for
^X\xf7\xff\xbf^X
On Tue, Jan 09, 2001 at 12:31:59PM -0800, [EMAIL PROTECTED] wrote:
I got the following (alarming) messages on syslog:
Jan 8 13:34:23 yuban syslogd: Cannot glue message parts together Jan
8 13:34:23 yuban /sbin/rpc.statd[159]: gethostbyname error for
^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\xff
I got the following (alarming) messages on syslog:
Jan 8 13:34:23 yuban syslogd: Cannot glue message parts together
Jan 8 13:34:23 yuban /sbin/rpc.statd[159]: gethostbyname error for
^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\
xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7\xff\xbf^[\xf7\xff\xbf^[\xf7\xff
[EMAIL PROTECTED] writes:
I got the following (alarming) messages on syslog:
Jan 8 13:34:23 yuban syslogd: Cannot glue message parts together
Jan 8 13:34:23 yuban /sbin/rpc.statd[159]: gethostbyname error for
^X\xf7\xff\xbf^X\xf7[snip]
Jan 8 13:34:23 yuban
\xc7^F/bin\xc7F^D/shA0\xc0
Previously [EMAIL PROTECTED] wrote:
I got the following (alarming) messages on syslog:
This is becoming a FAQ.. it's a failed crack attempt.
Wichert.
--
/ Generally uninteresting signature - ignore at your convenience \
|
: Cannot glue message parts together
Jan 8 13:34:23 yuban /sbin/rpc.statd[159]: gethostbyname error for
^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\
xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7\xff\xbf^[\xf7\xff\xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8
x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220
I got the following (alarming) messages on syslog:
This is becoming a FAQ.. it's a failed crack attempt.
I got the same attempt on Sunday. This is what I found out about it:
The rpc.statd program passes user-supplied data to the syslog() function
as a format string. If there is no input
. Comments?
--Jason
On Tue, Jan 09, 2001 at 12:31:59PM -0800, [EMAIL PROTECTED] wrote:
I got the following (alarming) messages on syslog:
Jan 8 13:34:23 yuban syslogd: Cannot glue message parts together
Jan 8 13:34:23 yuban /sbin/rpc.statd[159]: gethostbyname error for
^X\xf7\xff\xbf^X
On Tue, Jan 09, 2001 at 12:31:59PM -0800, [EMAIL PROTECTED] wrote:
I got the following (alarming) messages on syslog:
Jan 8 13:34:23 yuban syslogd: Cannot glue message parts together Jan
8 13:34:23 yuban /sbin/rpc.statd[159]: gethostbyname error for
^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\xff
hi guys. i have logcheck installed so i got this message tonight:
(sorry about the long lines, its the way it came to me)
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Oct 10 19:31:37 thosolin
Oct 10 19:31:37 thosolin /sbin/rpc.statd[125]: gethostbyname error for
^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ
=-=-=-=-=-=-=-=-=-=-=
Oct 10 19:31:37 thosolin
Oct 10 19:31:37 thosolin /sbin/rpc.statd[125]: gethostbyname error for
^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
this message tonight:
=20
(sorry about the long lines, its the way it came to me)
=20
Unusual System Events
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D
Oct 10 19:31:37 thosolin=20
Oct 10 19:31:37 thosolin /sbin/rpc.statd[125]: gethostbyname error for ^X=
=F7=FF=BF^X=F7=FF=BF^Y=F7=FF=BF^Y=F7
does not indicate a
problem. If the attack had succeeded, rpc.statd would have most likely
have crashed before it finished writing to the syslog (I think... don't
quote me on that). It will certainly continue to log the attack in
this annoying manner. Potato and woody are not vulnerable.
Dan
=-=-=-=-=-=-=-=-=-=-=
Oct 10 19:31:37 thosolin
Oct 10 19:31:37 thosolin /sbin/rpc.statd[125]: gethostbyname error for
^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
83 matches
Mail list logo